summaryrefslogtreecommitdiffstats
path: root/src/VBox/Devices/PC/ipxe/src/net/validator.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/VBox/Devices/PC/ipxe/src/net/validator.c670
1 files changed, 670 insertions, 0 deletions
diff --git a/src/VBox/Devices/PC/ipxe/src/net/validator.c b/src/VBox/Devices/PC/ipxe/src/net/validator.c
new file mode 100644
index 00000000..693d4464
--- /dev/null
+++ b/src/VBox/Devices/PC/ipxe/src/net/validator.c
@@ -0,0 +1,670 @@
+/*
+ * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <ipxe/refcnt.h>
+#include <ipxe/malloc.h>
+#include <ipxe/interface.h>
+#include <ipxe/xfer.h>
+#include <ipxe/open.h>
+#include <ipxe/iobuf.h>
+#include <ipxe/xferbuf.h>
+#include <ipxe/process.h>
+#include <ipxe/x509.h>
+#include <ipxe/settings.h>
+#include <ipxe/dhcp.h>
+#include <ipxe/base64.h>
+#include <ipxe/crc32.h>
+#include <ipxe/ocsp.h>
+#include <ipxe/job.h>
+#include <ipxe/validator.h>
+#include <config/crypto.h>
+
+/** @file
+ *
+ * Certificate validator
+ *
+ */
+
+struct validator;
+
+/** A certificate validator action */
+struct validator_action {
+ /** Name */
+ const char *name;
+ /** Action to take upon completed transfer */
+ int ( * done ) ( struct validator *validator, const void *data,
+ size_t len );
+};
+
+/** A certificate validator */
+struct validator {
+ /** Reference count */
+ struct refcnt refcnt;
+ /** Job control interface */
+ struct interface job;
+ /** Data transfer interface */
+ struct interface xfer;
+
+ /** Process */
+ struct process process;
+
+ /** Root of trust (or NULL to use default) */
+ struct x509_root *root;
+ /** X.509 certificate chain */
+ struct x509_chain *chain;
+ /** OCSP check */
+ struct ocsp_check *ocsp;
+ /** Data buffer */
+ struct xfer_buffer buffer;
+
+ /** Current action */
+ const struct validator_action *action;
+ /** Current certificate
+ *
+ * This will always be present within the certificate chain
+ * and so this pointer does not hold a reference to the
+ * certificate.
+ */
+ struct x509_certificate *cert;
+};
+
+/**
+ * Get validator name (for debug messages)
+ *
+ * @v validator Certificate validator
+ * @ret name Validator name
+ */
+static const char * validator_name ( struct validator *validator ) {
+
+ /* Use name of first certificate in chain */
+ return x509_name ( x509_first ( validator->chain ) );
+}
+
+/**
+ * Free certificate validator
+ *
+ * @v refcnt Reference count
+ */
+static void validator_free ( struct refcnt *refcnt ) {
+ struct validator *validator =
+ container_of ( refcnt, struct validator, refcnt );
+
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
+ validator, validator_name ( validator ) );
+ x509_root_put ( validator->root );
+ x509_chain_put ( validator->chain );
+ ocsp_put ( validator->ocsp );
+ xferbuf_free ( &validator->buffer );
+ free ( validator );
+}
+
+/**
+ * Mark certificate validation as finished
+ *
+ * @v validator Certificate validator
+ * @v rc Reason for finishing
+ */
+static void validator_finished ( struct validator *validator, int rc ) {
+
+ /* Remove process */
+ process_del ( &validator->process );
+
+ /* Close all interfaces */
+ intf_shutdown ( &validator->xfer, rc );
+ intf_shutdown ( &validator->job, rc );
+}
+
+/****************************************************************************
+ *
+ * Job control interface
+ *
+ */
+
+/**
+ * Report job progress
+ *
+ * @v validator Certificate validator
+ * @v progress Progress report to fill in
+ * @ret ongoing_rc Ongoing job status code (if known)
+ */
+static int validator_progress ( struct validator *validator,
+ struct job_progress *progress ) {
+
+ /* Report current action, if applicable */
+ if ( validator->action ) {
+ snprintf ( progress->message, sizeof ( progress->message ),
+ "%s %s", validator->action->name,
+ x509_name ( validator->cert ) );
+ }
+
+ return 0;
+}
+
+/** Certificate validator job control interface operations */
+static struct interface_operation validator_job_operations[] = {
+ INTF_OP ( job_progress, struct validator *, validator_progress ),
+ INTF_OP ( intf_close, struct validator *, validator_finished ),
+};
+
+/** Certificate validator job control interface descriptor */
+static struct interface_descriptor validator_job_desc =
+ INTF_DESC ( struct validator, job, validator_job_operations );
+
+/****************************************************************************
+ *
+ * Cross-signing certificates
+ *
+ */
+
+/** Cross-signed certificate source setting */
+const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
+ .name = "crosscert",
+ .description = "Cross-signed certificate source",
+ .tag = DHCP_EB_CROSS_CERT,
+ .type = &setting_type_string,
+};
+
+/** Default cross-signed certificate source */
+static const char crosscert_default[] = CROSSCERT;
+
+/**
+ * Append cross-signing certificates to certificate chain
+ *
+ * @v validator Certificate validator
+ * @v data Raw cross-signing certificate data
+ * @v len Length of raw data
+ * @ret rc Return status code
+ */
+static int validator_append ( struct validator *validator,
+ const void *data, size_t len ) {
+ struct asn1_cursor cursor;
+ struct x509_chain *certs;
+ struct x509_certificate *cert;
+ struct x509_certificate *last;
+ int rc;
+
+ /* Allocate certificate list */
+ certs = x509_alloc_chain();
+ if ( ! certs ) {
+ rc = -ENOMEM;
+ goto err_alloc_certs;
+ }
+
+ /* Initialise cursor */
+ cursor.data = data;
+ cursor.len = len;
+
+ /* Enter certificateSet */
+ if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
+ "certificateSet: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
+ goto err_certificateset;
+ }
+
+ /* Add each certificate to list */
+ while ( cursor.len ) {
+
+ /* Add certificate to chain */
+ if ( ( rc = x509_append_raw ( certs, cursor.data,
+ cursor.len ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not "
+ "append certificate: %s\n", validator,
+ validator_name ( validator ), strerror ( rc) );
+ DBGC_HDA ( validator, 0, cursor.data, cursor.len );
+ return rc;
+ }
+ cert = x509_last ( certs );
+ DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "%s\n", x509_name ( cert ) );
+
+ /* Move to next certificate */
+ asn1_skip_any ( &cursor );
+ }
+
+ /* Append certificates to chain */
+ last = x509_last ( validator->chain );
+ if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
+ "certificates: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
+ goto err_auto_append;
+ }
+
+ /* Check that at least one certificate has been added */
+ if ( last == x509_last ( validator->chain ) ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
+ "applicable certificates\n", validator,
+ validator_name ( validator ) );
+ rc = -EACCES;
+ goto err_no_progress;
+ }
+
+ /* Drop reference to certificate list */
+ x509_chain_put ( certs );
+
+ return 0;
+
+ err_no_progress:
+ err_auto_append:
+ err_certificateset:
+ x509_chain_put ( certs );
+ err_alloc_certs:
+ return rc;
+}
+
+/** Cross-signing certificate download validator action */
+static const struct validator_action validator_crosscert = {
+ .name = "XCRT",
+ .done = validator_append,
+};
+
+/**
+ * Start download of cross-signing certificate
+ *
+ * @v validator Certificate validator
+ * @v cert X.509 certificate
+ * @ret rc Return status code
+ */
+static int validator_start_download ( struct validator *validator,
+ struct x509_certificate *cert ) {
+ const struct asn1_cursor *issuer = &cert->issuer.raw;
+ const char *crosscert;
+ char *crosscert_copy;
+ char *uri_string;
+ size_t uri_string_len;
+ uint32_t crc;
+ int len;
+ int rc;
+
+ /* Determine cross-signed certificate source */
+ fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
+ crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
+ if ( ! crosscert[0] ) {
+ rc = -EINVAL;
+ goto err_check_uri_string;
+ }
+
+ /* Allocate URI string */
+ uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
+ + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
+ uri_string = zalloc ( uri_string_len );
+ if ( ! uri_string ) {
+ rc = -ENOMEM;
+ goto err_alloc_uri_string;
+ }
+
+ /* Generate CRC32 */
+ crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
+
+ /* Generate URI string */
+ len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
+ crosscert, crc );
+ base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
+ ( uri_string_len - len ) );
+ DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "\"%s\" cross-signature from %s\n",
+ x509_name ( cert ), uri_string );
+
+ /* Set completion handler */
+ validator->action = &validator_crosscert;
+ validator->cert = cert;
+
+ /* Open URI */
+ if ( ( rc = xfer_open_uri_string ( &validator->xfer,
+ uri_string ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
+ "%s\n", validator, validator_name ( validator ),
+ uri_string, strerror ( rc ) );
+ goto err_open_uri_string;
+ }
+
+ /* Success */
+ rc = 0;
+
+ err_open_uri_string:
+ free ( uri_string );
+ err_alloc_uri_string:
+ err_check_uri_string:
+ free ( crosscert_copy );
+ return rc;
+}
+
+/****************************************************************************
+ *
+ * OCSP checks
+ *
+ */
+
+/**
+ * Validate OCSP response
+ *
+ * @v validator Certificate validator
+ * @v data Raw OCSP response
+ * @v len Length of raw data
+ * @ret rc Return status code
+ */
+static int validator_ocsp_validate ( struct validator *validator,
+ const void *data, size_t len ) {
+ time_t now;
+ int rc;
+
+ /* Record OCSP response */
+ if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
+ "response: %s\n", validator,
+ validator_name ( validator ),strerror ( rc ) );
+ return rc;
+ }
+
+ /* Validate OCSP response */
+ now = time ( NULL );
+ if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
+ "OCSP response: %s\n", validator,
+ validator_name ( validator ), strerror ( rc ) );
+ return rc;
+ }
+
+ /* Drop reference to OCSP check */
+ ocsp_put ( validator->ocsp );
+ validator->ocsp = NULL;
+
+ return 0;
+}
+
+/** OCSP validator action */
+static const struct validator_action validator_ocsp = {
+ .name = "OCSP",
+ .done = validator_ocsp_validate,
+};
+
+/**
+ * Start OCSP check
+ *
+ * @v validator Certificate validator
+ * @v cert Certificate to check
+ * @v issuer Issuing certificate
+ * @ret rc Return status code
+ */
+static int validator_start_ocsp ( struct validator *validator,
+ struct x509_certificate *cert,
+ struct x509_certificate *issuer ) {
+ const char *uri_string;
+ int rc;
+
+ /* Create OCSP check */
+ assert ( validator->ocsp == NULL );
+ if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
+ "check: %s\n", validator, validator_name ( validator ),
+ strerror ( rc ) );
+ return rc;
+ }
+
+ /* Set completion handler */
+ validator->action = &validator_ocsp;
+ validator->cert = cert;
+
+ /* Open URI */
+ uri_string = validator->ocsp->uri_string;
+ DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
+ validator, validator_name ( validator ) );
+ DBGC ( validator, "\"%s\" via %s\n",
+ x509_name ( cert ), uri_string );
+ if ( ( rc = xfer_open_uri_string ( &validator->xfer,
+ uri_string ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
+ "%s\n", validator, validator_name ( validator ),
+ uri_string, strerror ( rc ) );
+ return rc;
+ }
+
+ return 0;
+}
+
+/****************************************************************************
+ *
+ * Data transfer interface
+ *
+ */
+
+/**
+ * Close data transfer interface
+ *
+ * @v validator Certificate validator
+ * @v rc Reason for close
+ */
+static void validator_xfer_close ( struct validator *validator, int rc ) {
+
+ /* Close data transfer interface */
+ intf_restart ( &validator->xfer, rc );
+
+ /* Check for errors */
+ if ( rc != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
+ validator, validator_name ( validator ),
+ strerror ( rc ) );
+ goto err_transfer;
+ }
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
+ validator, validator_name ( validator ) );
+
+ /* Process completed download */
+ assert ( validator->action != NULL );
+ if ( ( rc = validator->action->done ( validator, validator->buffer.data,
+ validator->buffer.len ) ) != 0 )
+ goto err_append;
+
+ /* Free downloaded data */
+ xferbuf_free ( &validator->buffer );
+
+ /* Resume validation process */
+ process_add ( &validator->process );
+
+ return;
+
+ err_append:
+ err_transfer:
+ validator_finished ( validator, rc );
+}
+
+/**
+ * Receive data
+ *
+ * @v validator Certificate validator
+ * @v iobuf I/O buffer
+ * @v meta Data transfer metadata
+ * @ret rc Return status code
+ */
+static int validator_xfer_deliver ( struct validator *validator,
+ struct io_buffer *iobuf,
+ struct xfer_metadata *meta ) {
+ int rc;
+
+ /* Add data to buffer */
+ if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
+ meta ) ) != 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
+ "data: %s\n", validator, validator_name ( validator ),
+ strerror ( rc ) );
+ validator_finished ( validator, rc );
+ return rc;
+ }
+
+ return 0;
+}
+
+/** Certificate validator data transfer interface operations */
+static struct interface_operation validator_xfer_operations[] = {
+ INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
+ INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
+};
+
+/** Certificate validator data transfer interface descriptor */
+static struct interface_descriptor validator_xfer_desc =
+ INTF_DESC ( struct validator, xfer, validator_xfer_operations );
+
+/****************************************************************************
+ *
+ * Validation process
+ *
+ */
+
+/**
+ * Certificate validation process
+ *
+ * @v validator Certificate validator
+ */
+static void validator_step ( struct validator *validator ) {
+ struct x509_link *link;
+ struct x509_certificate *cert;
+ struct x509_certificate *issuer = NULL;
+ struct x509_certificate *last;
+ time_t now;
+ int rc;
+
+ /* Try validating chain. Try even if the chain is incomplete,
+ * since certificates may already have been validated
+ * previously.
+ */
+ now = time ( NULL );
+ if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
+ validator->root ) ) == 0 ) {
+ DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
+ validator, validator_name ( validator ) );
+ validator_finished ( validator, 0 );
+ return;
+ }
+
+ /* If there is a certificate that could be validated using
+ * OCSP, try it.
+ */
+ list_for_each_entry ( link, &validator->chain->links, list ) {
+ cert = issuer;
+ issuer = link->cert;
+ if ( ! cert )
+ continue;
+ if ( ! x509_is_valid ( issuer, validator->root ) )
+ continue;
+ /* The issuer is valid, but this certificate is not
+ * yet valid. If OCSP is applicable, start it.
+ */
+ if ( ocsp_required ( cert ) ) {
+ /* Start OCSP */
+ if ( ( rc = validator_start_ocsp ( validator, cert,
+ issuer ) ) != 0 ) {
+ validator_finished ( validator, rc );
+ return;
+ }
+ return;
+ }
+ /* Otherwise, this is a permanent failure */
+ validator_finished ( validator, rc );
+ return;
+ }
+
+ /* If chain ends with a self-issued certificate, then there is
+ * nothing more to do.
+ */
+ last = x509_last ( validator->chain );
+ if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
+ validator_finished ( validator, rc );
+ return;
+ }
+
+ /* Otherwise, try to download a suitable cross-signing
+ * certificate.
+ */
+ if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
+ validator_finished ( validator, rc );
+ return;
+ }
+}
+
+/** Certificate validator process descriptor */
+static struct process_descriptor validator_process_desc =
+ PROC_DESC_ONCE ( struct validator, process, validator_step );
+
+/****************************************************************************
+ *
+ * Instantiator
+ *
+ */
+
+/**
+ * Instantiate a certificate validator
+ *
+ * @v job Job control interface
+ * @v chain X.509 certificate chain
+ * @v root Root of trust, or NULL to use default
+ * @ret rc Return status code
+ */
+int create_validator ( struct interface *job, struct x509_chain *chain,
+ struct x509_root *root ) {
+ struct validator *validator;
+ int rc;
+
+ /* Sanity check */
+ if ( ! chain ) {
+ rc = -EINVAL;
+ goto err_sanity;
+ }
+
+ /* Allocate and initialise structure */
+ validator = zalloc ( sizeof ( *validator ) );
+ if ( ! validator ) {
+ rc = -ENOMEM;
+ goto err_alloc;
+ }
+ ref_init ( &validator->refcnt, validator_free );
+ intf_init ( &validator->job, &validator_job_desc,
+ &validator->refcnt );
+ intf_init ( &validator->xfer, &validator_xfer_desc,
+ &validator->refcnt );
+ process_init ( &validator->process, &validator_process_desc,
+ &validator->refcnt );
+ validator->root = x509_root_get ( root );
+ validator->chain = x509_chain_get ( chain );
+ xferbuf_malloc_init ( &validator->buffer );
+
+ /* Attach parent interface, mortalise self, and return */
+ intf_plug_plug ( &validator->job, job );
+ ref_put ( &validator->refcnt );
+ DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
+ validator, validator_name ( validator ), validator->chain );
+ return 0;
+
+ validator_finished ( validator, rc );
+ ref_put ( &validator->refcnt );
+ err_alloc:
+ err_sanity:
+ return rc;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-03 14:02:57 +0000